policy_module(milter_regex, 1.0.0)

########################################
#
# Declarations
#

milter_template(regex)

########################################
#
# Local policy
#

# It removes any existing socket (not owned by root) whilst running as root
# and then calls setgid() and setuid() to drop privileges
allow milter_regex_t self:capability { setuid setgid dac_override };

# The milter's socket directory lives under /var/spool
files_search_spool(milter_regex_t)

# Look up username for dropping privs
auth_use_nsswitch(milter_regex_t)

# Config is in /etc/mail/milter-regex.conf
mta_read_config(milter_regex_t)